4,000+ Websites in the West Found Infected With Crypto-Mining Malware

Some key websites belonging to the UK and US government agencies were found to be running a crypto-mining malware. The website belonging to the Information Commissioner’s Office (ICO) was first investigated by the security researcher Scott Helme after he received an alert that AV filters were raising red flags.

“The first thought was that the ICO website was compromised. I started digging into this after firing off a few emails to contact people who may be able to help wiith disclosure. I quickly found out that the script, while being present on the ICO website, was not being hosted by the ICO, it was included by a third-party library they loaded” he explained.

“To load a crypto miner on 1,000 websites you need not attack 1,000 websites but only the one website that they all load content from. In this case it was Texthelp, an assistive technology provider, that had been compromised and one of their hosted script files changed.” It was found that attackers had compromised a JavaScript file that was part of the Texthelp Browsealoud product, by adding malicious code that effectively installed CoinHive miner.

Some of the key websites infected by CoinHive include the US Courts, the General Medical Council, NHS Inform among others. The researcher revealed that neutralizing the attack requires just a small code change to how the Browsealoud script was loaded.

“We have added SRI Integrity Attribute which allows the browser to determine if the file has been modified, which further allows it to reject the file. The appropriate script tags can be easily generated using the SRI Hash Generator and rest assured the crypto miner could not have found its way into the page,” he explained.

For absolute protection, Content Security Policy can be used and also the require-sri-for directive. This shall make sure that no script is allowed to load on the page without an SRI integrity attribute.

Cyber criminals have found an easy way to make money through crypto-mining. Most criminals are turning away from ransomware to focus on the new tactic, according to Cisco Talos. Even IBM has claimed to have seen a six-times increase in crypto-mining malware attacks between January and August 2017.